X.500 Standard status
X.509 Related activities
How to be involved
Tutorial section 1
Tutorial section 2
X.509 at work
At the ITU-T Study Group 17 meeting 29 August - 7 September 2012 two new work items were proposed to initiate work on the deployment of Public-Key Infrastructure within different environments. This work item is common for Question 11, Generic technologies to support secure applications and Question 10, Identity management architecture and mechanisms with Question 11 as the leading question.
The two new work items texts are:
PKI is a powerful tool that can be used to provide secure authentication and authorization for security association (SA) and key establishment. However, PKI can be difficult to deploy and operate. This is primarily because PKI standards (such as X.509 and IETF RFC 5280) only provide a high level framework for digital certificate usage and for implementing a PKI. They provide a mechanism for defining naming conventions, certificate constraints, and certificate policies, but they do not specify how these should be used.
These standards rightfully leave the specification of these details, also called profiling, to be outlines for the particular type of deployment of PKI. Some industries (such as the financial services industry) have standardized a model PKI policy. The purpose of a profile is to define the naming conventions, constraints, policies, and many operational aspects of a PKI for a particular environment.
The profiling of Public-Key Infrastructure has so far typically been done by industry groups or similar organisations for particular purposes, such as:
The first two groups are primarily profiling the Rec. ITU-T X.509 for particular purposes, while PKIX in addition is a standard making body.
Some traditional standards organisations, like ITU-T, IEC and IEC are also attempting to develop some kind of PKI profiling as addition to their standardisation process, for example:
There probably many other examples of fragmented PKI profiles like work completed or in progress. A more coordinated approach seems necessary.
The PKI profiling work should cover items like:
The requirements as indicated above may be different for different environment resulting in multiple profiles. Certain aspects may be common for several profiles.
As the works develops, the document structure will be determined. It may be relevant to have different documents for different environments.
At the ITU-T Study Group 17 meeting 29 August - 7 September 2012 two liaison statements were issued as listed below:
IN addition, liaison should be established with other organisations doing PKI profiling like work.
The PKIX group will be consulted on many detailed issues.